How to Recover From Play Ransomware Attack

Play Ransomware was first seen in June 2022 and Latin America, especially Brazil, is the Play hacker group’s primary target. The attackers are believed to be from Russia as its encryption techniques are similar to the Russian ransomware groups Hive and Nokoyawa.

After entering the network through a vulnerability in the system, Play ransomware will encrypt your files and then leave a ransom note. The note states that your data is locked until the ransom payment.

What kind of malware is Play?

Play is a type of ransomware that uses Cobalt Strike for post-compromise and SystemBC RAT for persistence. It encrypts the files, changes the files’ extension, and leaves a ransom note.

The group exploits ProxyNotShell vulnerabilities in Microsoft Exchange to infect networks and steal businesses and organizations’ data.

Play ransomware uses double extortion tactics as it not only encrypts the data but also copies it and threatens to leak the files if the ransom is not paid.

In August 2022 Play hacker group attacked Argentina’s Judiciary of Cordoba making them shut down their IT system. As a result, the Judiciary was forced to use paper and pen to submit official documents. Experts believe that it happened via phishing emails.

Identify Play ransomware

Confirmed Name

• Play virus

Threat Type

• Ransomware
• Crypto Virus
• Files locker

Encrypted Files Extension

• .PLAY

Ransom Demanding Message

• ReadMe.txt

Is There a Free Decryptor Available?

• No, there’s no public decryption key for Play ransomware

Detection Names

• Avast Win32:Malware-gen
• Emsisoft Gen:Variant.Fragtor.104675 (B)
• Kaspersky HEUR:Trojan-Ransom.Win32.Crypmodng.gen
• Malwarebytes Ransom.FileCryptor
• Microsoft Ransom:Win32/Crypmodng!mclg
• Sophos Mal/Generic-S

Symptoms

• Cannot open files stored on your computer
• New file extensions
• A ransom demand message on your desktop
• Files renamed with random letters

Distribution methods

• Infected email attachments (phishing emails)
• Torrent websites (infected links or files)
• Malicious ads (malvertising)

Consequences

• Locked files
• Stolen passwords
• Data breach

Prevention

• Antivirus and anti-malware
• Updated software
• Updated operating system (OS)
• Firewalls
• Don’t open an email attachment from an unknown source
• Use email security application to block malicious emails
• Do not download files from suspicious websites
• Use applications to block external unauthorized access to the network
• Don’t click on ads unless you’re sure it’s safe
• Only access websites from trustworthy sources

Play ransomware domains

• hxxp://185[.]150[.]117[.]186:80/asdfgsdhsdfgsdfg’
• hxxp://84[.]32[.]190[.]37:80/ahgffxvbghgfv
• hxxp://84[.]32[.]190[.]37:80/ahgffxvbghgfv’
• hxxp://newspraize[.]com
• newspraize[.]com
• realmacnow[.]com
• hacktool[.]win32[.]toolpow[.]sm
• hxxp://realmacnow[.]com

How did Play infect your computer

As with many ransomware attacks, phishing is a primary method for Play ransomware to infect a network. If there’s any vulnerability in your security system, your business is open to a cyberattack.

The most common ways Play ransomware infect computers and networks are:

• Malicious attachments and links in spam emails/messages
• Online scams
• Dubious download channels
• Illegal software activation tools (cracks)
• Fake updates
• Dive-by (stealthy and deceptive) downloads

Spam email campaigns. This a phishing email attack where hackers use social engineering to deceive victims into clicking malicious links or attachments. After that, the exploit kit is downloaded into the machine and the threat actors can trigger ransomware at any moment. These emails can be targeted when hackers intend to access a specific business or can be non-targeted phishing when they send a mass malware spam campaign.

Unofficial software download sources and cracks. Pirate software and crack usually are malicious programs. Also, this software will not have the updates necessary to improve the program and prevent vulnerabilities that hackers can exploit.

Known software vulnerabilities. Hackers use software with known vulnerabilities to attack businesses as well. That’s why it’s very important to also keep every software updated and protect remote administration tools like RDP.

Play encryption and ransom note

Every file will have an extension .PLAY after the encryption. The ransomware uses the generic RSA-AES hybrid cryptosystem to encrypt files

Play ransom note is really simple, which is one of the main differences from other ransomware. Most of the time, the note is simply the word “PLAY” followed by the email address that victims must contact the attackers.

Some variants may add the link for the Tor website and the email address.

Example of the content for Play ransom note:

PLAY

news portal, tor network links:

mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion

k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion

[email protected]

How does Play ransomware work

Play ransomware has an intermittent encryption system. It works following 10 steps that not only encrypt the data but also steal it and threaten to leak it.

1. Initial Access

Play ransomware usually gains access to networks and systems through old legit credentials that have been reused across multiple platforms or that were leaked previously.

Exposed Remote Desktop Protocols (RDP) is also a gateway for Play ransomware attacks.

2. Execution

The Execution step involves the usage of scheduled tasks and PsExec. The hackers control many user machines and also Windows legit tools to execute processes on other systems during this phase and then spread the ransomware across the network.

3. Persistence

The hackers continue to use the accounts as a persistence mechanism, enabling RDP access.

4. Privilege Escalation

In this phase, hackers use Mimikatz to extract high-privileged credentials from memory.

5. Defense Evasion

After that, the ransomware will disable antiviruses and anti-malware software. Then they use Windows built-in tool wevtutil to cover their tracks and disable Windows Defender.

6. Credential Access

In this step, Play will dump credentials on the target host and gain domain administrator access.

7. Discovery

During the discovery step, hackers will collect more information about the environment.

8. Lateral Movement

For lateral movement, Play uses different tools, such as:

• Cobalt Strike
• SystemBC
• Empire
• Mimikatz

9. Exfiltration

For exfiltration, Play’s approach is to split the data into chunks. They use WinRAR to compress the data and transfer using .RAR file format.

10. Impact

The final step is to encrypt the data and add the .PLAY file extension to the files and the placement of a ransom note.

Prevent Play ransomware attacks

We already mentioned several ways you can prevent Play ransomware attacks. Here is a complete list of what to do to keep your data and business safe.

1. Erase outdated and unused user accounts

Unused accounts are vulnerabilities that hackers can exploit. This is the primary way that Play ransomware uses to access RDP and send phishing emails.

Deactivate and close unused accounts as well as those used by past employees.

2. Use strong passwords

Always use strong and unique passwords for each account and only share them with necessary people. This can guarantee that only authorized personnel will access each company account.

3. Apply multi-factor authentication

You can use two-factor authentication or biometric unlock to ensure that only authorized people have access to folders, devices, or accounts.

4. Schedule regular backups

Keep at least three copies of your data, having at least one stored offline and off-site. So, even if you’re hit by a disaster, being natural or human-made (like ransomware), your data is always safe.

Regular backups can prevent downtimes and ensure you never lose any sensitive data.

5. Use a cybersecurity solution

You can either have an IT team to guarantee your business security or hire a cybersecurity service.

Either way, you must look for vulnerabilities in the network, such as back doors, exploit kits, and youtube software.

6. Have a recovery plan in hand

Data recovery plans are documents that work as guides on what to do in case of a disaster. This can help you restore your business faster and more securely.

See how to create a data recovery plan with our in-depth guide.

How to handle the Play ransomware attack

The first step to recover from the Play attack is to isolate the infected computer by disconnecting from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3).

To report a ransomware attack you must gather every information you can about it, including:

• Screenshots of the ransom note
• Communications with Play actors (if you have them)
• Sample of an encrypted file

You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. Is using the data on your infected system so that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.

After isolating the device and contacting authorities, you must follow the next steps to retrieve your data:

1. Contact your Incident Response Retainer

A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively in the event of a cyber incident.

An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. The specific nature and structure of an incident response retainer will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.

2. Identify the ransomware infection

You can check which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name, such as hajd ransomware), or it will be on the ransom note. With this information, you can look for a public decryption key. However, Play doesn’t have it yet.

3. Remove the ransomware and eliminate exploit kits

Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.

4. Use a backup to restore the data

Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.

5. Contact a ransomware recovery service

Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup of it. If you don’t have a recent backup, ransomware data recovery services can help you decrypt and recover the files.

SalvageData experts can safely restore your files and guarantee Play ransomware does not attack your network again.

Contact our experts 24/7 for emergency recovery service or find a recovery center near you.